Episode 92

Posted on Friday, Oct 2, 2020
It’s CVE bankruptcy! With a deluge of CVEs to cover from the last 2 weeks, we take a particular look at the ZeroLogon vulnerability in Samba this week, plus Alex covers the AppArmor 3 release and some recent / upcoming webinars hosted by the Ubuntu Security team.

Show Notes

Overview

It’s CVE bankruptcy! With a deluge of CVEs to cover from the last 2 weeks, we take a particular look at the ZeroLogon vulnerability in Samba this week, plus Alex covers the AppArmor 3 release and some recent / upcoming webinars hosted by the Ubuntu Security team.

This week in Ubuntu Security Updates

121 unique CVEs addressed

[USN-4510-1, USN-4510-2] Samba vulnerability

  • 1 CVEs addressed in Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)
  • “ZeroLogon”
  • Would allow an attacker who already can communicate with the domain controller to reset it’s password and so then take control of the DC and obtain the domain admin’s credentials
  • Flaw in the NetLogon protocol would allow the attacker to impersonate any computer in the domain, even the DC itself, and execute calls on that computer’s behalf
  • This flaw was in the cryptographic authentication scheme employed by the NetLogon protocol
  • Samba also implements this protocol - and so contained the same flaw
  • In both cases (Window AD vs Samba) there is an option to use a more secure authentication mechanism - for older Ubuntu releases like Trusty, Xenial and Bionic the default configuration as specified by upstream Samba did not enforce the use of this bu default
  • So the fix is a simple configuration change to enable this by default
  • This is done by patching Samba directly (rather than trying to say update everyone’s deployed /etc/samba.conf or similar) - which still allows a local admin to turn this off if they so desire (although this is definitely not recommended)
  • One example of how Ubuntu tries to be secure by default - when known better security configuration options become available we try and enable them (whilst weighing up the likelihood of breaking existing installs - we try very hard not to do this)
  • Similarly we have done the same for the various spec exec mitigations - almost all default to on even at the expense of a performance hit in that case

[USN-4504-1] OpenSSL vulnerabilities

[USN-4505-1] PHPMailer vulnerability

[USN-4506-1] MCabber vulnerability

[USN-4507-1] ncmpc vulnerability

[USN-4508-1] StoreBackup vulnerability

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-4509-1] Perl DBI module vulnerabilities

[USN-4511-1] QEMU vulnerability

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-4512-1] util-linux vulnerability

[USN-4513-1] apng2gif vulnerability

[USN-4514-1] libproxy vulnerability

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-4515-1] Pure-FTPd vulnerability

[USN-4516-1] GnuPG vulnerability

USN-4518-1] xawtv vulnerability

[USN-4519-1] PulseAudio vulnerability

[USN-4520-1] Exim SpamAssassin vulnerability

[USN-4521-1] pam_tacplus vulnerability

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-4522-1] noVNC vulnerability

[USN-4523-1] LibOFX vulnerability

[USN-4524-1] TNEF vulnerabilities

[USN-4525-1] Linux kernel vulnerabilities

[USN-4526-1] Linux kernel vulnerabilities

[USN-4527-1] Linux kernel vulnerabilities

[USN-4528-1] Ceph vulnerabilities

[USN-4529-1] FreeImage vulnerabilities

[USN-4531-1] BusyBox vulnerability

[USN-4530-1] Debian-LAN vulnerabilities

[USN-4532-1] Netty vulnerabilities

[USN-4533-1] LTSP Display Manager vulnerabilities

[USN-4534-1] Perl DBI module vulnerability

  • 1 CVEs addressed in Precise ESM (12.04 ESM), Trusty ESM (14.04 ESM), Xenial (16.04 LTS), Bionic (18.04 LTS)

[USN-4535-1] RDFLib vulnerability

[USN-4537-1] Aptdaemon vulnerability

  • 1 CVEs addressed in Xenial (16.04 LTS), Bionic (18.04 LTS), Focal (20.04 LTS)

[USN-4538-1] PackageKit vulnerabilities

[USN-4536-1] SPIP vulnerabilities

[USN-4539-1] AWL vulnerability

[USN-4540-1] atftpd vulnerabilities

[USN-4542-1] MiniUPnPd vulnerabilities

[USN-4543-1] Sanitize vulnerability

[USN-4541-1] Gnuplot vulnerabilities

[USN-4545-1] libquicktime vulnerabilities

[USN-4546-1] Firefox vulnerabilities

[USN-3968-3] Sudo vulnerabilities

[USN-4549-1] ImageMagick vulnerabilities

[USN-4548-1] libuv vulnerability

[USN-4547-1] iTALC vulnerabilities

[USN-4553-1] Teeworlds vulnerability

[USN-4552-1] Pam-python vulnerability

[USN-4550-1] DPDK vulnerabilities

[USN-4551-1] Squid vulnerabilities

[USN-4554-1] libPGF vulnerability

[USN-4547-2] SSVNC vulnerabilities

[USN-4556-1] netqmail vulnerabilities

Goings on in Ubuntu Security Community

AppArmor 3.0 Release

FIPS certification and CIS compliance with Ubuntu Webinar

  • <2020-10-01 Thu>
  • More on the Ubuntu FIPS certification for cryptographic modules in Ubuntu 18.04 LTS and 16.04 LTS and the Ubuntu FIPS public cloud images
  • The difference between FIPS certified and FIPS compliant modules
  • More on compliance benchmark documentation for Ubuntu CIS compliance
  • How to quickly harden Ubuntu systems and easily view which rules your systems are not compliant with using the CIS automation tooling from Canonical [demo]
  • Presented by Vineetha Kamatha (Security Engineering Manager), Shaun Murphy (Public Cloud Sr Product Manager) & Lech Sandecki (Product Manager)
  • https://www.brighttalk.com/webcast/6793/432536/fips-certification-and-cis-compliance-with-ubuntu

Best Practices for Securing Open Source Webinar

Get in contact